TOP > 研究成果 > IoTPOT > News


Vulnerability in possibility of running arbitrary codes in router through 53413/UDP

Created March 10, 2016

Chinese made router has vulnerability in possibility of running arbitrary codes through 53413/UDP [1]. IoTPOT could monitor two different types of attacks relating to this vulnerability.

The first one is that, since 2015 August 27th, IoTPOT received commands which downloaded shell scripts by wget and tftp. By running downloaded shell script, the second stage malware binary was downloaded and infected the devices. During 209 days of monitoring period, IoTPOT received 74,619 times of commands from 1,215 hosts to download the shell script and IoTPOT could collect 55 malware binaries of 10 different CPU architectures.

The second one was that IoTPOT received packets having 18 bytes payloads. The main characteristics of these packets were that the actual packet length was different from what was shown in packet header length field. Sandbox analysis of collected malware showed scans on port 53413/UDP with same 18 bytes payloads packets. Thus, we expected that the hosts scanning with these 18 bytes payload packets were also infected by this malware.

[1] TrendLabs SECURITY INTELLIGENCE Blog, Netis Routers Leave Wide Open Backdoor.